SB2022072096 - Multiple vulnerabilities in Oracle Agile Engineering Data Management

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2021-29425)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error within the FileNameUtils.normalize method when processing directory traversal sequences, such as "//../foo", or "\..foo". A remote attacker can send a specially crafted request and verify files availability in the parent folder.

2) Incorrect default permissions (CVE-ID: CVE-2020-17521)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for temporary files and folders that are set by the application. A local user with access to the system can view contents of files and directories or modify them.

3) Resource exhaustion (CVE-ID: CVE-2021-36374)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing ZIP archives. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

4) Infinite loop (CVE-ID: CVE-2022-23437)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when parsing XML documents. A remote attacker can supply a specially crafted XML document, consume all available system resources and cause denial of service conditions.

5) Protection mechanism failure (CVE-ID: CVE-2019-10086)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exist due to Beanutils is not using by default the a special BeanIntrospector class in PropertyUtilsBean that was supposed to suppress the ability for an attacker to access the classloader via the class property available on all Java objects. A remote attacker can abuse such application behavior against applications that were developed to rely on this security feature.

6) Resource exhaustion (CVE-ID: CVE-2021-42340)

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when processing HTTP connections. A remote attacker can initiate multiple HTTP connections with the web server and consume all available memory on the system.

7) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2020-11987)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

8) Exposed dangerous method or function (CVE-ID: CVE-2020-10683)

The vulnerability allows a remote attacker to abuse implemented functionality.

The vulnerability exists due to dom4j allows by default external DTDs and External Entities. A remote attacker can abuse this functionality and perform XXE attack against application that uses dom4j default configuration.

Remediation

Install update from vendor's website.

References

• https://www.oracle.com/security-alerts/cpujul2022.html?3252